Date of event: April 24, 2021
Moderators: Subhashish Bhadra (ONI), Anand V (Hasgeek)
Discussants: Sharda Balaji (Novo Juris), Samuel Mani (Mani Chengappa Mathur), KK Mookhey (NII Consulting), Kailash Nadh (Zerodha)
Companies have written down policies and procedures in case of data breaches. Securities and Exchange Board of India (SEBI) regulators provide clear guidelines. However, in most places cybersecurity is an afterthought. Individuals in leadership positions are mostly not technically aware about data security, and those who are aware do not have enough of a leadership position to implement necessary cybersecurity measures. Business considerations always seem to trump technical considerations.
Once your data is on the darknet, it’s out. There is nothing to be done there. The key is to be prepared. There are only two mitigations here: the financial aspect of cyber security, which is quite expensive, and the expertise in negotiating with people to get your data off the hit list. Keeping these in mind, one can take necessary precautions to prevent data breaches.
Cybersecurity is more important for consumer-centric technologies than deep tech. Investors should ask more questions regarding cybersecurity so that the entrepreneur pays attention to it as well. Investors normally do a due diligence of the processes and policies in cybersecurity before they invest in a company. Investors also prefer companies with certifications like ISO 27001. Data security is necessary for everyone. Investors need to understand security as it is a key area today.
Security is about securing your assets. Privacy is about how you use the data that you’ve collected. GDPR says that there is a public interest question about how data is collected, used, processed, etc. Security is one aspect of that. Privacy is the larger topic.
There are rarely any repercussions or fines that are paid due to data breaches. Most of the time, organizations don’t even realise that a breach has occurred until an ethical hacker informs them that their data is available on the darknet. A lot of it doesn’t come out to the public.
Some organisations that have had major data breaches in the recent past include BigBasket, Air India, Domino’s Pizza, and BHIM payment apps. Personal data of millions of Indians such as their addresses, Aadhar card scans, caste certificates, and credit card and passport information was leaked and a lot of it was available on the darknet. While these organisations have taken some steps to prevent future breaches, as of now there has been little or no action taken against them.
One needs to do reasonable diligence. There will never be complete diligence. Make sure that the checks are reasonably robust, and then you need to live with the risk. Breaches usually occur due to small, silly mistakes, such as a weak or a wrong link being clicked by someone in the organisation.
On the policy side of things, SEBI introduced a comprehensive 54-point cybersecurity guideline three years ago. But most vendors don’t even have the certifications mentioned in the guidelines yet. So, it is impossible to enforce all the policies that are there and this is something that investors need to accept until there is change.
There is no such law that forces the company to share data unless it is sensitive personal information.
GDPR is only applicable when there is a data breach at a company that is using data on European individuals, regardless of where the company is physically located. The same is true for other countries, based on their data protection laws. Unless a company is using European data at the product level, they do not have to comply with GDPR.
The price for the data on the data trade market goes down a lot. The accuracy too will reduce. The losses here are socialised and largely paid for by the people, which is not tracked.
Summary prepared by Anwesha Sen